Richard Raysman and Peter Brown write in today's NYLJ that
the answer to that question remains unsettled. The issue was raised in a recent
case involving a Cleveland newspaper that reported on a judge's anonymous
comments (about pending cases) to its website. Here's a taste of Raysman
and Brown's article:

The law surrounding the contractual
nature of privacy policies remains unsettled: Are they merely broad statements
of company policy or enforceable contracts?

Some courts have held that general
statements like privacy policies are unilateral corporate statements that are
not sufficiently definite to form a contract. Others have found privacy
policies can form a contract, particularly when parties claiming a breach have
alleged that they read and subsequently relied on the policy prior to
transacting business with the site operator. See e.g., Meyer v.
Christie, 2007 WL 3120695 (D. Kan. Oct. 24, 2007).

Regardless, any successful claim
for breach of contract requires a showing of compensable loss arising out of
the alleged breach, beyond a generalized claim of loss of privacy.

Ruling on a motion to dismiss, the
court found that the plaintiff seemed to have alleged that the privacy policy
provisions allegedly violated were part of his agreement with his ISP and that
he relied on them.

However, the court dismissed the
plaintiff's contract claims, with leave to amend, because the plaintiff failed
to plead any loss stemming from the alleged breach.

Similarly, in Cherny v.
Emigrant Bank, 604 F.Supp.2d 605 (S.D.N.Y. 2009), the court ruled
that the disclosure of an e-mail address allegedly in contravention of the
defendant's privacy policy that resulted in the plaintiff's receipt of spam,
but no other misuse, could not form a cognizable breach of contract action
because of a lack of recoverable damages.

They also discuss the FTC’s “aggressive stance” with regard
to data privacy. Interesting issue; the
article is worth a read.